Java Security Flaw

[Cavsfan]

I updated the java on my Windows 7 install to 7.11 both 32 bit and 64 bit yesterday. Today I checked for a later version of the Nvidia Driver.
There was a way to check the one on my system to what is available. It was a java applet and asked permission. Knowing I'm going to trust Nvidia pretty much I allowed it.

But, I did appreciate the popup.

I had a 306.xx version installed and version 310.90 was available. I downloaded it.
But, on windows, which is susceptible to viruses, I always scan the downloaded file with my antivirus program before installing it.

That is at least one good thing I see out of 7.11: it pops up a box and directly asks you if you want to proceed.

[QIII]

7u11 was released 3 days ago and Ubuntu is still shipping 7u9.

Does that mean that Ubuntu doesn't care about the safety of its user base?

No. It means that just like Windows the distribution's features are frozen and the iso is static, so you have to do updates as soon as it is installed.

[Cavsfan]

No. It means that just like Windows the distribution's features are frozen and the iso is static, so you have to do updates as soon as it is installed.

Right. Windows 7 didn't even jump up and tell me to upgrade to 7.11. When I checked I had 7.9 installed.

I think I keep Ubuntu more up to date than I do my Windows 7 install. But, I am on this more too.

[samiux]

Oracle has released the Java 7 Update 11 and claimed that the vulnerabilities have been fixed. However, the 0day vulnerability has not been fixed according to some information. Please read this link for more details.

For Windows, Mac OSX and Linux users who has been updated to Java 7 Update 11 or not yet applied the patch, please disable the plugin from your browser. If any website that requires the Java plugin, you must disable the plugin after use.

For Ubuntu users who has been updated to Java 7 Update 11, you can apply the Apparmor to increase the security of the Firefox. For the users that do not apply the patch, Firefox will disable the plugin by default. For implement of Apparmor for Firefox, please read this link.

Samiux

[Ms. Daisy]

Apparmor won't help - a "feature" of java is that it allows remote code execution inside of java. Will apparmor stop java from executing java? :/

[samiux]

Apparmor won't help - a "feature" of java is that it allows remote code execution inside of java. Will apparmor stop java from executing java? :/

After the Apparmor for Firefox is enforced, I issued the following command and it displayed the result as the following :

Code:

sudo aa-status

Code:

apparmor module is loaded.
21 profiles are loaded.
21 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//launchpad_integration
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//launchpad_integration
   /usr/bin/evince//sanitized_helper
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/firefox/firefox{,*[^s][^h]}
   /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java
   /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk
   /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
   /usr/lib/telepathy/mission-control-5
   /usr/lib/telepathy/telepathy-*
   /usr/sbin/cupsd
   /usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
   /usr/lib/telepathy/mission-control-5 (1992) 
   /usr/sbin/cupsd (801) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Then, I further checked the following file :

Code:

sudo nano /etc/apparmor.d/abstractions/ubuntu-browsers.d/java

I find out that almost all the components of the Java is allowed to read only but except the binary of Java itself.

To confirm if the Apparmor for Firefox is workable for the vulnerability, I need to set up a lab to test. You will be informed as soon as possible.

Samiux

[Hungry Man]

Apparmor won't help - a "feature" of java is that it allows remote code execution inside of java. Will apparmor stop java from executing java? :/

It won't prevent the RCE but it will:

1) Prevent writing/executing the payload
2) Restrict the JRE/ attacker to the profile.

FYI, to all concerned, there's a new Java exploit that will exploit Java update 11 (the latest) in the wild already.

[Ms. Daisy]

What im saying is the only way to fully protect from java exploits is to configure apparmor so that java cannot behave like java. The malicious code runs basically like native java. Hence apparmor would have to disable java completely. I'd love to hear that im wrong...

[QIII]

It won't prevent the RCE but it will:

1) Prevent writing/executing the payload
2) Restrict the JRE/ attacker to the profile.

FYI, to all concerned, there's a new Java exploit that will exploit Java update 11 (the latest) in the wild already.

Java 7u12 will likely be breached within 48 hours.

The US Department of Homeland Security still recommends disabling the browser plugin. Some reports I have read indicate this will take two years of concerted effort to rectify, during which time the bad guys will get ready to pounce again.

[oldos2er]

Will OpenJDK 7 provide you any better safety?

In short, no.

This is a point I've been wondering about, being very java-ignorant. I'm trusting your opinion on this, QIII.